[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-02-14 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From 8fa8a3e8d3c9532d2cb53b0cc3b75705fd9ad87b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 1 Feb 2017 11:36:32 +0100
Subject: [PATCH 01/10] tests: tracker: Split Tracker into one-purpose Trackers

There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.
---
 ipatests/test_xmlrpc/tracker/base.py | 285 +--
 1 file changed, 172 insertions(+), 113 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..8b6e97e 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -15,61 +15,7 @@
 from ipatests.util import Fuzzy
 
 
-class Tracker(object):
-"""Wraps and tracks modifications to a plugin LDAP entry object
-
-Stores a copy of state of a plugin entry object and allows checking that
-the state in the database is the same as expected.
-This allows creating independent tests: the individual tests check
-that the relevant changes have been made. At the same time
-the entry doesn't need to be recreated and cleaned up for each test.
-
-Two attributes are used for tracking: ``exists`` (true if the entry is
-supposed to exist) and ``attrs`` (a dict of LDAP attributes that are
-expected to be returned from IPA commands).
-
-For commonly used operations, there is a helper method, e.g.
-``create``, ``update``, or ``find``, that does these steps:
-
-* ensure the entry exists (or does not exist, for "create")
-* store the expected modifications
-* get the IPA command to run, and run it
-* check that the result matches the expected state
-
-Tests that require customization of these steps are expected to do them
-manually, using lower-level methods.
-Especially the first step (ensure the entry exists) is important for
-achieving independent tests.
-
-The Tracker object also stores information about the entry, e.g.
-``dn``, ``rdn`` and ``name`` which is derived from DN property.
-
-To use this class, the programer must subclass it and provide the
-implementation of following methods:
-
- * make_*_command   -- implementing the API call for particular plugin
-   and operation (add, delete, ...)
-   These methods should use the make_command method
- * check_* commands -- an assertion for a plugin command (CRUD)
- * track_create -- to make an internal representation of the
-   entry
-
-Apart from overriding these methods, the subclass must provide the
-distinguished name of the entry in `self.dn` property.
-
-It is also required to override the class variables defining the sets
-of ldap attributes/keys for these operations specific to the plugin
-being implemented. Take the host plugin test for an example.
-
-The implementation of these methods is not strictly enforced.
-A missing method will cause a NotImplementedError during runtime
-as a result.
-"""
-retrieve_keys = None
-retrieve_all_keys = None
-create_keys = None
-update_keys = None
-
+class BaseTracker(object):
 _override_me_msg = "This method needs to be overridden in a subclass"
 
 def __init__(self, default_version=None):
@@ -78,8 +24,6 @@ def __init__(self, default_version=None):
 self._dn = None
 self.attrs = {}
 
-self.exists = False
-
 @property
 def dn(self):
 """A property containing the distinguished name of the entry."""
@@ -138,53 +82,33 @@ def make_command(self, name, *args, **options):
 return functools.partial(self.run_command, name, *args, **options)
 
 def make_fixture(self, request):
-"""Make a pytest fixture for this tracker
+"""Make fixture for the tracker
 
-The fixture ensures the plugin entry does not exist before
-and after the tests that use it.
+Don't do anything here.
 """
-del_command = self.make_delete_command()
-try:
-del_command()
-except errors.NotFound:
-pass
-
-def cleanup():
-existed = self.exists
-try:
-del_command()
-except errors.NotFound:
-if existed:
-raise
-self.exists = False
-
-request.addfinalizer(cleanup)
-
 return self
 
-def ensure_exists(self):
-"""If the entry does not exist (according to tracker state), create it
-"""
-if not self.exists:
-

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-02-02 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From 11ac9cfa85cee324be81bc6dacf2b757f1933d9a Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 1 Feb 2017 11:36:32 +0100
Subject: [PATCH 1/8] tests: tracker: Split Tracker into one-purpose Trackers

There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.
---
 ipatests/test_xmlrpc/tracker/base.py | 285 +--
 1 file changed, 172 insertions(+), 113 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..8b6e97e 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -15,61 +15,7 @@
 from ipatests.util import Fuzzy
 
 
-class Tracker(object):
-"""Wraps and tracks modifications to a plugin LDAP entry object
-
-Stores a copy of state of a plugin entry object and allows checking that
-the state in the database is the same as expected.
-This allows creating independent tests: the individual tests check
-that the relevant changes have been made. At the same time
-the entry doesn't need to be recreated and cleaned up for each test.
-
-Two attributes are used for tracking: ``exists`` (true if the entry is
-supposed to exist) and ``attrs`` (a dict of LDAP attributes that are
-expected to be returned from IPA commands).
-
-For commonly used operations, there is a helper method, e.g.
-``create``, ``update``, or ``find``, that does these steps:
-
-* ensure the entry exists (or does not exist, for "create")
-* store the expected modifications
-* get the IPA command to run, and run it
-* check that the result matches the expected state
-
-Tests that require customization of these steps are expected to do them
-manually, using lower-level methods.
-Especially the first step (ensure the entry exists) is important for
-achieving independent tests.
-
-The Tracker object also stores information about the entry, e.g.
-``dn``, ``rdn`` and ``name`` which is derived from DN property.
-
-To use this class, the programer must subclass it and provide the
-implementation of following methods:
-
- * make_*_command   -- implementing the API call for particular plugin
-   and operation (add, delete, ...)
-   These methods should use the make_command method
- * check_* commands -- an assertion for a plugin command (CRUD)
- * track_create -- to make an internal representation of the
-   entry
-
-Apart from overriding these methods, the subclass must provide the
-distinguished name of the entry in `self.dn` property.
-
-It is also required to override the class variables defining the sets
-of ldap attributes/keys for these operations specific to the plugin
-being implemented. Take the host plugin test for an example.
-
-The implementation of these methods is not strictly enforced.
-A missing method will cause a NotImplementedError during runtime
-as a result.
-"""
-retrieve_keys = None
-retrieve_all_keys = None
-create_keys = None
-update_keys = None
-
+class BaseTracker(object):
 _override_me_msg = "This method needs to be overridden in a subclass"
 
 def __init__(self, default_version=None):
@@ -78,8 +24,6 @@ def __init__(self, default_version=None):
 self._dn = None
 self.attrs = {}
 
-self.exists = False
-
 @property
 def dn(self):
 """A property containing the distinguished name of the entry."""
@@ -138,53 +82,33 @@ def make_command(self, name, *args, **options):
 return functools.partial(self.run_command, name, *args, **options)
 
 def make_fixture(self, request):
-"""Make a pytest fixture for this tracker
+"""Make fixture for the tracker
 
-The fixture ensures the plugin entry does not exist before
-and after the tests that use it.
+Don't do anything here.
 """
-del_command = self.make_delete_command()
-try:
-del_command()
-except errors.NotFound:
-pass
-
-def cleanup():
-existed = self.exists
-try:
-del_command()
-except errors.NotFound:
-if existed:
-raise
-self.exists = False
-
-request.addfinalizer(cleanup)
-
 return self
 
-def ensure_exists(self):
-"""If the entry does not exist (according to tracker state), create it
-"""
-if not self.exists:
-

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-02-01 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/9] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 184 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  17 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   9 +
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 +-
 ipaserver/plugins/certmap.py   | 357 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 843 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a87fec1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn:

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From 29767acc613c28711db5383c5a3b266f69316188 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From 7cf43ea8033694b9c20625cb3015c2cb8755fef2 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/4] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 184 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  17 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   9 +
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 +-
 ipaserver/plugins/certmap.py   | 357 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 843 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a87fec1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn:

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-24 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-24 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From b758cf15199a42a707c1028a29ec4772d24589eb Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/4] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt   |  16 +-
 API.txt   | 154 +
 VERSION.m4|   4 +-
 install/share/73certmap.ldif  |  17 ++
 install/share/Makefile.am |   1 +
 install/updates/73-certmap.update |  27 +++
 install/updates/Makefile.am   |   1 +
 ipalib/constants.py   |   2 +
 ipaserver/install/dsinstance.py   |   1 +
 ipaserver/plugins/baseuser.py |  11 +-
 ipaserver/plugins/certmap.py  | 345 ++
 ipaserver/plugins/user.py | 173 ++-
 12 files changed, 745 insertions(+), 7 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..ec2eeca 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalkey || passwordhistory ||

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-18 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From 0f5f8531edce915c02cabdcb215f0f2134b880a1 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 273 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..4086333
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,101 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import pytest
+import itertools
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+